Introduction
The Internet of Things (“IoT”) refers to the ability of everyday objects to connect to the Internet and to send and receive data. It includes, for example, Internet-connected cameras that allow you to post pictures online with a single click; home automation systems that turn on your front porch light when you leave work; and bracelets that share with your friends how far you have biked or run during the day. The Internet of Things is already impacting the daily lives of millions of Americans through the adoption of health and fitness monitors, home security devices, connected cars and household appliances, among other applications. Such devices offer the potential for improved health-monitoring, safer highways, and more efficient home energy use, among other potential benefits.
The growth of network-connected devices, systems and services comprising the IoT provides efficiencies and personalization of experience that is attractive to both manufacturers and consumers. Network connected devices, systems, and services are also increasingly integrated with and relied upon by our Nation’s critical infrastructure, leading to a national dependency. The characteristics of the IoT ecosystem also result in multiple opportunities for malicious actors to manipulate the flow of information to and from network connected devices. Important processes that once were performed manually, and therefore enjoyed a measure of immunity against malicious cyber activity, are growing more vulnerable. Recent large scale distributed denial of service attacks foreshadow increasing in the US and elsewhere.
In 2008, the U.S. National Intelligence Council warned that the Internet of Things (IoT) would be a disruptive technology by 2025. The Council said that individuals, businesses, and governments were unprepared for a possible future when network interfaces reside in everyday things. Almost six years later, this warning remains valid, though it now seems certain that the IoT will be disruptive far sooner than 2025—if it is not so already. More recently in January 2014, the Director of National Intelligence (DNI) stated that “[t]he complexity and nature of these systems means that security and safety assurance are not guaranteed and that threat actors can easily cause security and/or safety problems in these systems.”
Several statistics validate the Government’s concerns: the number of Internet-connected devices first outnumbered the human population in 2008, and that number continues to grow faster than the human population. By 2013, there were as many as 13 billion Internet-connected devices, and projections indicate that this will grow to 50 billion or more by 2020, generating global revenues of greater than $8 trillion by 2020. Many of these systems are visible to any user, including malicious actors, as search engines are already crawling the Internet indexing and identifying connected devices.
The IoT is the latest development in the decades-old revolution in communications, networking, processing power, miniaturization, and application innovation and has radically altered communications, networks, and sensors. The IoT is a decentralized network of objects, applications, and services that can sense, log, interpret, communicate, process, and act on a variety of information or control devices in the physical world. However, the IoT differs from previous technological advances because it has surpassed the confines of computer networks and is connecting directly to the physical world. Just as modern communications have fundamentally altered national security and emergency preparedness (NS/EP), the IoT has had a similar transformative impact. Throughout the communications revolution, a plethora of existing and new technologies have led to astonishing improvements in the efficiency and effectiveness of Government and private sector operations and capabilities; yet the IoT differs in the pace, scale, and breadth of deployment of interconnected devices, which has resulted in immense benefits to individuals and organizations. Despite the benefits, the IoT is accompanied by risk associated with increased dependencies, expanded number of devices, and associated interconnections that will create a large attack surface with numerous potential threat vectors.
The increased attack surface and our Nation’s dependence on these new systems, either directly or through the critical infrastructure systems in which they are embedded, has made the IoT and new systems natural targets for criminals, terrorists, and nation states that wish to exploit them. These dependencies will continue to increase as the IoT permeates all sectors of the economy and all aspects of people’s lives.
While all users have to cope with this expanded attack surface, IoT applications in the NS/EP domain must be hardened against the potential risks. As IoT manufacturers and vendors Interests Out to 2025.
Source: https://www.dhs.gov/sites/default/files/publications/IoT%20Final%20Draft%20Report%2011-2014.pdf